In our previous article, we discussed on what is MITRE ATT&CK framework and its benefits. In this article, let us look into how we can use the MITRE ATT&CK framework for threat hunting or how to hunt APT groups using the MITRE ATT&CK framework. Before this, let’s clear some concepts like APT groups, threat hunting, and cyber kill chain.
What is An APT Group?
Advanced Persistent Threats (APTs) are sophisticated hacker groups, which may be state-sponsored, nation sponsored, etc., that are capable of infiltrating and lodging in a network for an extended period of time without being detected. These groups are resourceful and have access to vast resources, time, and expertise to conduct large-scale infiltration operations. They remain undetected by using a range of techniques that allow them to gain access to systems and networks without raising suspicion.
What is Threat Hunting?
Threat hunting is the proactive approach of searching for indications of malicious activity or the presence of a threat actor within an organization’s networks and systems. The goal of threat hunting is to detect, investigate, and respond to potential malicious activity before it can cause damage.
APT groups are so advanced that the average dwelling time in an organization’s network without being detected can be around 15-20 days. Their activities will be so subtle that defense tools might not be able to catch them. Threat hunting will help to catch such malicious activities or APT groups and prevent them before it causes more damage.
What is the Cyber Kill Chain?
The cyber kill chain is a framework developed by Lockheed Martin which explains the various stages and structures of an attack. The cyber kill chain consists of 7 steps.
- Reconnaissance: This includes collecting information about the target from various open-source intelligence. (social media, search engines, etc.)
- Weaponization: The attacker develops malware based on the requirement by leveraging security vulnerabilities.
- Delivery: The delivery of the weaponized or customized tool.
- Exploitation: This is where the actual exploitation happens. The user clicks on the malicious link, opens an infected USB, etc.
- Install: Additional tools are installed in the compromised machine.
- C&C communication: In this phase, the attacker will start communicating with the infected machine, and data transfer happens.
MITRE ATT&CK vs Cyber Kill Chain
As we discussed in the previous article, we know the MITRE ATT&CK framework is created based on references from various real-life scenarios. We also discussed the tactics in the MITRE ATT&CK framework. All 14 tactics are designed in such a way it reflects the cyber-attack kill chain.
Threat hunting is a very broad terminology, so in order to hunt for an APT group with the help of the MITRE ATT&CK framework, We need to follow some steps.
How to Hunt APT Groups Using the MITRE ATT&CK Framework?
Threat hunting is a very broad terminology, so in order to hunt for an APT group with the help of the MITRE ATT&CK framework, We need to follow some steps
Find and research the behaviour
The Analyst should understand what they are looking into. The primary and most important step is to understand the reason behind the attacker performing the attack. What their intent is, and what they are trying to achieve.
This can be from raw data from an ongoing incident or a finished intelligence report. Researching online about the port number or the commands used can give more visibility on what to search.
Translate the behaviour into Tactic
The behaviour can be obtained from a finished intelligence report or raw data. If the source is from a finished report, it will be easier for the analyst to match it with a tactic as the author of the report might have provided the intent behind the attack. To map a tactic from raw data can be more difficult. Analysts should have good domain knowledge to understand and map the behaviour into a tactic.
Figuring out technique from the Tactic
Once the Tactic is identified, we can look into what all techniques are listed under each Tactic. This might make things easier. Another way of doing mapping can be by researching more on the behaviour and mapping it directly to a MITRE ATT&CK technique. Mapping your observation into a technique can be tedious work. We can make it easier by searching for keywords in the ATT&CK matrix.
Working as a group of analysts also help in this. Since analysts are human, we will have different biases. Hence there is a great chance that different person might categorize the same behaviour as a different technique. Discussing these scenarios will help to look at the attack from a different perspective, and that can provide more insight into it.
Once all these steps are done, we will understand where we are standing in the cyber kill chain. If the stage is initial, there will be the least damage. If the attacker is in the initial recon stage or just dropped the payload and the attack was identified, we can mitigate it faster.
Now, consider the stage we identified that comes in the middle of the tactics list (or in a cyber kill chain) i.e., consider the attack was observed in a ‘persistence’ stage. This will help the analyst to look for the stages preceding or after the identified stage with the help of the MITRE ATT&CK framework. The hunter can look for how the attack initially started and which system is the patient zero. They can also check if any stage after also to confirm whether the hold of the attacker is more.
With all the data collected and the tactics and techniques identified by the treat hunter, they can look specifically for any attacker group targeting the infra. For e.g., consider the sub-technique: Phishing: Spearphishing Attachment (ID: T1566.001)
All the primary detail will be provided in the right-side window.
As we scroll down, we can see that all attacker groups use spear phishing attachments as their method of initial intrusion.
The ATT&CK Navigator
The ATT&CK Navigator is a free feature provided by the MITRE ATT&CK framework to show all the tactics and techniques covered by each APT. If we want to know more about APT29, search for APT29 in the tab, or we can get it from the ‘groups’ menu in the top bar. We will be able to find the associated groups or different names provided with APT29. While scrolling down, all the techniques also will be listed. Just before that, we will find a bar for the ATT&CK Navigator.
On clicking the ATT&CK navigator, we will be taken to a page like this.
I would suggest everyone visit Mitre ATT&CK matrix and explore. The knowledge and details provided there are immense and diverse. A hands-on trial on the matrix will give you more ideas on how to move around. I hope this article helped in understanding how we can use the MITRE ATT&CK framework for threat hunting or how to hunt APT groups using the MITRE ATT&CK framework.